LDAP question

Frank Sorenson wrote:
> Mike Lovell wrote:
>> I am trying to get an LDAP working for an environment that I have.
>> Currently, the LDAP is working an I can authenticate the LDAP and
>> everything is working fine. The one complaint I have is that one user
>> or group lookup where the local account information is sufficient,
>> there is still an query going again LDAP. Does anyone know if it is
>> possible to configure things so that if there is a result found in
>> /etc/passwd and /etc/group to then not do a query against the LDAP? I
>> am wanting to deploy this in an environment that is doing a ton of
>> file operations as a particular user that is already on the local
>> machines and I don't want queries hitting the LDAP all of the time
>> and killing it. I know nscd will cache the info but I am wanting to
>> not hit the LDAP for that user at all. Here is what I have in my
>> nsswitch.conf.
> The nsswitch.conf looks fine. I'd look into the ordering of the pam
> stack. Check for references to pam_ldap.so in the
> /etc/pam.d/system-auth or service-specific configuration, and make
> sure that the ordering there only goes to ldap if it's not found
> locally. For example:
>> |auth sufficient pam_unix.so
> auth sufficient pam_ldap.so use_first_pass
> auth required pam_deny.so|
>> and
>> |account sufficient pam_unix.so
> account sufficient pam_ldap.so
> account required pam_deny.so|
>>> Frank
>I think I have it working now. Putting the pam_ldap.so lines below the
pam_unix.so lines was what I tried first and that resulted in queries
happening against the ldap. After I changed the pam_unix.so lines to be
sufficient for pam_unix.so instead of required, it started working the
way i expected. My only question is there any problem with changing the
pam_unix.so to be sufficient instead of required? I am kind of a pam
n00b. Thanks
Mike